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--A  new  problem,  the  Byzantine  Firing  Squad  problem,  ia  defined  and  aolve<l  in 
two  versions,  Permissive  and  Strict.  Both  problems  provide  for  synchronisation 
of  initially  unsynchronized  processors  in  a  synchronous  network,  in  the  abesnce 
of  a  common  clock  and  in  the  presence  of  a  limited  number  of  faulty  processors. 
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but  might  transmit  r  times  as  many  bits,  where  r  is  the  number  of  rounds  used. 
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by  a  chosen  Byzantine  Agreement  algorithm.  ;  '■* 
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works]:  Distributed  Systems;  D.1.3  [Programming  Techniques]:  Concuirent 
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1.  INTRODUCTION 


We  consider  a  problem  of  synchronising  a  collection  of  processors,  some  of 
which  mijjht  be  faulty.  We  assume  that  the  processors  are  connected  by  a  com¬ 
plete,  synchronous  network.  Although  communication  is  synchronous,  we  will  not 
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assume  the  global  availability  of  a  “current  time*  A  solution  to  this  synchronisa¬ 
tion  problem,  which  we  call  the  “Bysantine  Firing  Squad*  problem,  would  be  useful 
in  the  following  types  of  situations. 

(a)  Beal- time  processing.  It  might  be  necessary  for  several  processors  to  carry 
out  some  external  action  simultaneously,  perhaps  after  the  occurrence  of  a 
particular  unpredictable  event.  For  example,  several  processors  on  board  an 
aircraft  might  be  responsible  for  causing  several  actuators  to  perform  a  specific 
action  in  concert,  in  response  to  a  signal  from  the  pilot.  The  signal  might 
arrive  at  the  different  processors  at  different  times.  A  By « an  tine  Firing  Squad 
algorithm  could  be  used  to  synchronise  the  processors’  actions. 

(b)  Distributed  initiation.  Most  synchronous  parallel  distributed  algorithms  as¬ 
sume  that  all  processors  begin  their  protocols  together.  If  we  would  like  to  use 
such  algorithms  in  a  network  in  which  there  is  no  common  notion  of  time,  we 
need  to  cause  the  processors  participating  in  the  algorithm  to  synchronise  their 
start  times.  A  preliminary  Bysantine  Firing  Squad  algorithm  could  be  used  to 
accomplish  this. 

(c)  Distributed  termination.  In  certain  algorithms  (e.g.,  synchronous  probabilistic 
agreement  [1],  approximate  agreement  (3]),  individual  processors  might  com¬ 
plete  their  parts  of  the  algorithm  at  different  times.  If  it  is  necessary  to  guar¬ 
antee  simultaneous  termination,  a  Bysantine  Firing  Squad  algorithm  could  be 
run  after  the  main  algorithm. 

This  synchronization  problem  can  be  considered  to  be  a  combination  of  two 
well-known  problems:  the  Firing  Squad  Synchronisation  problem  and  the  Bysantine 
Generals  problem.  Accordingly,  we  call  the  new  problem  the  Bysantine  Firing 
Squad  problem. 


The  Firing  Squad  Synchronisation  problem  was  first  proposed  in  about  195'  by 
John  Myhill  and  described  by  Edward  Moore  in  1962  [9].  In  the  original  problem,  a 
finite  number  of  finite  state  machines  connected  in  a  line  are  to  be  programmed  so 
that  they  all  go  to  a  particular  state  (“fire")  simultaneously  after  a  Start*  aiipal 
is  given  by  one  of  the  machines  at  the  end  of  the  line,  the  “General*.  Over  the 
years,  this  problem  has  been  generalised  and  widely  studied  (see  the  bibliography 
in  Nishitai  i  and  Honda  [10]).  In  our  problem,  the  finite  state  machines  are  replitced 
by  (not  necessarily  finite)  automata  connected  by  a  complete  network. 

The  llysantine  Generals  problem  was  first  proposed  by  Pease,  Shoetak  and 
Lamport  [  11],  although  it  did  not  receive  that  name  until  a  later  work  appeared,  [8]. 
For  a  recent  bibliography  of  work  on  the  problem  see  Fischer  [5].  The  Bysaritine 
Generals  problem  can  be  paraphrased  as  follows.  The  General,  must  broadcast  a 
value  to  the  remaining  processors,  even  though  some  processors  might  be  faulty. 
If  the  General  is  a  reliable  processor,  then  all  reliable  processors  must  correctly 
determine  the  value.  Even  if  the  General  is  faulty,  all  reliable  processors  must  agree 
on  some  (arbitrary)  value.  (A  reliable  processor  always  behaves  according  to  a 
given  protocol,  while  a  faulty  processor  can  behave  in  an  arbitrary  way.)  We  will 
assume  that  all  processors  are  acting  as  Generals,  broadcasting  a  local  value  to  the 
others,  so  that  at  the  end  of  the  algorithm  all  reliable  processors  agree  on  a  vector  of 
values.  Titus,  Byaantine  Agreement  for  broadcasting  a  local  value  of  each  processor 
is  reached  if  and  only  if  at  the  end  of  the  algorithm  the  following  conditions  hold: 

(Al)  Agret  ment:  AU  reliable  processors  agree  on  the  same  vector  of  values. 

(A2)  Validity:  If  processor  t  is  reliable,  then  Ith  component  of  the  agreed  upon  Victor 
is  th»  value  that  i  broadcast. 

A  Byzantine  Agreement  algorithm  is  called  /-resilient  if  Bysantine  Agreement 
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k  reached  for  any  number  of  faulty  processors  not  exceeding  /.  We  will  use  /  for 
the  number  of  faulty  processors  and  n  for  the  total  number  of  processors  for  the 
remainder  of  the  paper. 

The  Bys&ntine  Firing  Squad  problem  combines  the  Firing  Squad  problem  with 
the  Bysantine  Generals  problem.  Initially,  all  the  (reliable)  processors  are  "quies¬ 
cent*  (not  communicating).  At  an  unpredictable  time,  we  can  require  the  system 
to  begin  the  firing  protocol.  This  is  done  by  sending  special  START  signals  to  some 
of  the  processors  (possibly  at  different  times).  Within  a  finite  number  of  rounds, 
all  of  the  reliable  processors  must  simultaneously  send  special  FIRE  signals,  even 
though  a  limited  number  of  processors  might  exhibit  "Bysantine*  failure. 

Section  2  gives  a  more  formal  description  of  two  versions,  Permissive  and  Strict, 
of  the  Bysantine  Firing  Squad  problem.  The  versions  differ  in  the  number  of  START 
signals  which  the  external  source  must  send  to  force  firing.  Section  3  presents 
a  family  of  solutions  to  these  Bysantine  Firing  Squad  problems;  each  solution  k 
based  on  a  chosen  Byzantine  Agreement  algorithm.  These  solutions  take  no  more 
rounds  than  the  chosen  algorithm,  but  might  require  sending  r  times  as  many  bits 
as  sent  by  the  Byzantine  Agreement  algorithm.  We  show  in  section  4  how  to  reduce 
thk  to  only  n2  bits  plus  four  times  as  many  bits  as  sent  by  Byzantine  Agreement 
with  the  addition  of  only  one  preliminary  round  for  the  Permissive  case  and  two 
preliminary  rounds  for  the  Strict  case. 

We  hope  that  our  solutions  will  seem  simple  and  clear  to  the  reader,  but  thk 
should  not  imply  that  the  algorithms  are  easily  obtained.  Indeed,  a  direct  solution 
to  the  problem  is  not  immediately  obvious.  Instead,  we  give  an  example  of  a  reduc¬ 
tion  between  distributed  problems  (it  would  be  nice  to  have  more  such  examples). 
We  encourage  the  reader  to  consider  the  problem  carefully  before  examining  the 
solutions  in  sections  3  and  4. 
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2.  THE  DEFINITION  OF  THE  PROBLEM 

We  mode)  a  synchronous  system  by  a  state  transition  system.  We  will  not 
burden  the  reader  with  a  lot  of  notational  detail,  but  trust  that  the  following  de¬ 
scription  is  sufficient  to  construct  the  formal  state  transition  system  that  we  have 
in  mind. 

A  synchronous  system  consists  of  a  set  of  processors,  an  initial  state  for  each 
processor,  and  transition  functions  which  determine  the  protocols  of  the  processors. 
In  each  transition  (also  referred  to  as  a  round),  a  processor  receives  a  message 
from  ever)  other  processor  and  an  external  source,  sends  a  message  to  every  other 
processor  and  an  external  destination,  and  goes  to  a  new  state. 

The  reliable  processors  always  send  the  messages  specified  by  their  protocols, 
but  the  faulty  processors  can  send  any  messages.  In  particular,  we  do  not  assume 
that  processors  can  append  unforgeable  signatures  to  their  messages.  For  results  on 
the  Bysantine  Firing  Squad  problem  with  signatures  refer  to  Coan,  Dolev,  Dwork 
and  Stockmeyer  (2]. 

In  a  synchronous  system,  information  can  be  conveyed  by  the  absence  of  a 
signal  as  well  as  by  an  explicit  signal.  Thus,  we  distinguish  a  particular  message, 
called  the  null  message;  all  other  messages  are  simply  called  signals.  A  processor  is 
said  to  be  quiescent  at  a  certain  state  if,  in  any  transition  from  that  state  in  which 
it  receives  only  null  messages,  it  sends  only  null  messages  and  remains  in  the  same 
state.  If  a  processor  is  not  quiescent  then  it  is  awake. 

We  require  that  all  processors  be  quiescent  in  their  initial  states.  Initial  qui¬ 
escence  guarantees  that  no  signals  will  be  sent  by  any  reliable  processor  until  the 
external  source  or  a  faulty  processor  sends  a  signal  to  some  reliable  processor. 

For  the  Bysantine  Firing  Squad  problem,  the  only  signal  which  is  ever  sent  by 
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the  external  source  is  a  special  START  signal,  which  is  used  to  initiate  the  firing 
protocol.  The  only  signal  which  is  ever  sent  to  the  external  destination  is  a  special 
FIRE  signal,  indicating  that  the  processor  has  fired. 

The  Bysantine  Firing  Squad  problem  admits  several  variations  depending  on 
how  we  wish  to  force  firing.  We  might  want  firing  to  occur  if  just  a  single  START 
signal  (from  the  external  source)  is  received  by  any  reliable  processor.  Note  that 
this  implies  that  a  faulty  processor  can  cause  firing  by  pretending  to  be  a  reliable 
processor  which  has  received  a  START  signal.  On  the  other  hand,  if  we  prohibit  fir¬ 
ing  until  some  reliable  processor  has  received  a  START  signal,  then  a  single  START 
signal  is  not  sufficient  to  guarantee  firing,  since  a  lone  processor  cannot  (in  general) 
convince  the  others  that  it  is  reliable.  We  term  these  two  variations  Permissive  and 
Strict.  (An  algorithm  which  solves  one  of  these  does  not  solve  the  other.) 

An  /-resilient  Permissive  Bysantine  Firing  Squad  algorithm  must  satisfy  the 
following  conditions  whenever  the  number  of  faulty  processors  does  not  exceed  /: 

(Cl)  Agreement :  If  any  reliable  processor  sends  a  FIRE  message  in  some  round,  then 
all  reliable  processors  send  a  FIRE  message  in  that  round. 

(C2)  Permissive  Validity:  If  any  reliable  processor  receives  a  START  signal,  then 
some  reliable  processor  eventually  sends  a  FIRE  message. 

An  /-resilient  Strict  Bysantine  Firing  Squad  algorithm  will  satisfy  (Cl)  and 
the  following  additional  condition  whenever  the  number  of  faulty  processors  does 
not  exceed  /: 

(C2’)  Strict  Validity: 

a)  If  at  least  /  +  1  reliable  processors  receive  a  START  signal,  then  some 
reliable  processor  eventually  sends  a  FIRE  message. 


b)  If  any  reliable  processor  sends  a  FIRE  message,  then  some  reliable  processor 
previously  received  a  START  signal. 

We  wish  to  measure  the  efficiency  of  communication  of  our  algorithms.  It  iii  not 
useful  to  measure  the  direct  costs  incurred  by  faulty  processors  since  these  Slight 
be  unbounded.  We  also  wish  to  avoid  charging  for  "preliminary  rounds"  which  are 
caused  by  faulty  processors  and  do  not  lead  to  termination.  We  therefore  introduce 
the  concept  of  “measured  portion  of  a  computation." 

Let  i(  be  an  algorithm.  If  A  is  a  Bysantine  Agreement  algorithm,  then  the 
entire  computation  from  initial  state  to  termination  is  measured.  If  A  is  a  Permissive 
Bysantine  Firing  Squad  algorithm,  then  the  measured  portion  of  the  computation 
is  from  hie  first  reception  of  a  START  message  by  a  reliable  processor  until  a 
reliable  processor  fires.  If  A  is  a  Strict  Bysantine  Firing  Squad  algorithm,  then 
the  measured  portion  of  the  computation  is  from  the  round  in  which  the  /  f  1** 
reliable  processor  receives  a  START  signal  until  a  reliable  processor  fires.  Now  we 
can  define  our  time  measure,  Rounds(A )  simply  as  the  worst  case  number  of  rounds 
in  the  measured  portion  of  the  computation.  Many  communication  measures  are 
possible.  We  shall  use  Bits(A)  as  the  worst  case  total  number  of  bits  sent  by  all  the 
reliable  processors  in  the  measured  portion  of  the  computation.  We  assume  that 
variable  length  messages  are  used  so  that  the  shortest,  non-null  message  that  can 
be  sent  costs  one  bit. 

3.  TIME  EFFICIENT  SOLUTIONS  TO  THE  BYZANTINE  FIRING  SQUAD  PROB¬ 
LEMS 

Our  solutions  are  based  on  an  arbitrary  Bysantine  Agreement  algorithm  (which 
satisfies  the  restriction  specified  below).  Our  algorithms  inherit  most  of  the  char¬ 
acteristics  of  the  chosen  agreement  algorithm,  so  that  behavior  can  be  tailored 


u  desired  {e.g.,  minimising  Round*  or  Bit a).  Also,  the  resiliency  of  the  derived 
Bysantine  Firing  Squad  algorithm  is  identical  to  that  of  the  Bysantine  Agreement 
algorithm.  Since  it  is  known  that  n  >  3/  is  sufficient  for  Bysantine  Agreement  [8], 
the  Bysantine  Firing  Squad  problem  can  also  be  solved  whenever  n  >  3 /.  It  has 
also  been  shown  [2],  by  reducing  Lamport's  Weak  Bysantine  Agreement  problem  [7] 
to  the  Bysantine  Firing  Squad  problem,  that  the  latter  problem  cannot  be  solved 
unless  n  >  3/. 

All  of  the  deterministic  Bysantine  Agreement  algorithms  that  we  know  of  sat* 
isfy  the  following  condition: 

(A3)  Rounds(A)  is  bounded. 

In  this  case,  we  say  A  is  a  Bounded  Bysantine  Agreement  algorithm.  (Note  that 
(A3)  need  not  imply  that  A  is  ‘immediate*  as  defined  by  Dolev,  et  ol.  [4].)  In  the 
remainder  of  the  paper,  we  will  let  Round*(A)  =  r. 

Let  A  be  a  Bounded  Bysantine  Agreement  algorithm.  We  use  A  to  construct 
new  algorithms  Bp[A)  and  Bs{A)  which  solve  the  Permissive  and  Strict  Bysantine 
Firing  Squad  problem,  respectively.  When  A  is  understood  from  context,  we  simply 
refer  to  Bp  and  Bs-  Also,  since  Bp  and  Bs  are  very  similar,  it  is  convenient  to 
use  B  to  refer  to  them  jointly.  In  algorithm  Bp,  the  reliable  processors  will  all  fire 
within  at  most  r  rounds  after  the  first  reliable  processor  receives  a  START  signal. 
In  algorithm  Bs  all  reliable  processors  fire  in  at  most  r  rounds  after  /  +  1  reliable 
processors  have  received  a  START  signal. 

We  begin  by  describing  algorithms  Bp[A)  and  Bs[A)  which  satisfy  all  the 
required  conditions  for  a  slightly  more  general  model  in  which  the  processors  are 
not  required  to  be  quiescent  initially.  The  basic  idea  of  algorithm  B\A)  is  to 
simulate  a  copy  of  algorithm  A  starting  in  each  round.  Each  simulation  runs  for 


tly  r  rounds,  so  that  at  any  time  only  r  are  in  progress.  The  messages  from  the 
ive  simulations  of  algorithm  A  are  coded  into  a  single  message  for  algorithm  £' 
straightforward  way.  At  each  time  t,  each  processor  begins  participating  in  a 
tlation  of  algorithm  A  in  which  it  sends  a  value  which  is  coded  to  mean  0:  "Not 
dy*  or  1:  m  Ready.'  A  processor  becomes  Ready  upon  the  receipt  of  a  START 
al  and  lemains  Ready  thereafter.  At  time  t  +  r  this  simulation  terminates,  and 
jctor  of  values  is  computed.  For  Bp,  all  reliable  processors  fire  if  the  vector  is 
all  sero.  For  £5,  they  fire  if  there  are  at  least  /  +  1  non-sero  elements. 

eorem  1.  Let  A  be  an  f-reeilient  Bounded  Bysantine  Agreement  algorithm, 
en  algorithms  Bp(A)  and  B's(A)  are  f-reeilient  and  satisfy  conditions  (Cl)  and 
2),  and  (Cl)  and  (C2’)t  respectively.  Also,  Rounds(8p(A ))  =  Rounds(A)  and 
ts(Bf>(A))  <  Rounds( A)x Bitt(  A)  hold  for  Bp,  while  Rounda(Bs(A))  =  Rovndt(A) 
d  Bite(Bs(A ))  <  Rounds[A)  x  Bits{A)  bold  for  B's . 

Proof:  The  /-resilency  of  Bp  and  £5  follow  directly  from  the  /-resiliency 
A.  By  assumption,  A  satisfies  (Al),  (A2),  and  (A3).  By  (Al),  all  reliable 
ocessors  use  the  same  vector  to  make  their  firing  decisions  in  each  round,  so 
’I)  is  satisfied  (for  both  Bp  and  £5).  By  (A2),  this  vector  will  be  non-sero  for  the 
nutation  beginning  with  the  round  in  which  the  first  reliable  processor  receives 
START  signal,  so  (C2)  is  satisfied  for  Bp',  furthermore,  by  (A3),  firing  occurs 
ithin  r  rounds  after  the  first  reception  of  a  START  signal  by  a  reliable  processor, 

1  .Rcund.*(3p(A))  —  Rounds(A). 

Algorithm  £5  satisfies  (C2’b)  since  if  no  reliable  processor  ever  receives  a 
TART  signal,  then  no  vector  can  be  computed  with  more  than  /  ones  (by  (A2)),  so 
0  reliable  processor  will  fire.  Condition  (C2’a)  is  also  satisfied  since  if  /+ 1  reliable 
rocessors  have  received  START  signals  by  round  t,  then  a  vector  will  be  computed 
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by  round  t  +  r  which  h as  at  leant  /  + 1  ones,  causing  some  reliable  processor  to  fire. 
Also,  firing  must  occur  within  r  rounds  after  /+ 1  reliable  processors  have  received 
a  START  signal,  Roundt{Bs(A))  =  RouruU(A). 

The  composite  message  transmitted  by  a  reliable  processor  in  one  round  in¬ 
cludes  exactly  one  message  from  each  round  of  a  simulation  of  A,  so  the  number 
of  bits  sent  by  all  reliable  processors  in  any  round  (using  a  suitable  encoding)  is 
bounded  by  Bits(A).  Since  at  most  r  rounds  occur  in  the  measured  portion  of  the 
computation,  Bits{B'{A))  <  Rounds(A)  x  BiU(A),  for  both  Bp  and  D 

We  now  show  how  to  modify  the  fi'  algorithms  to  obtain  B  algorithms  which 
meet  the  condition  of  initial  quiescence  required  by  our  model.  The  difficulty  is  that 
when  a  reliable  processor  receives  its  first  signal,  some  simulations  might  already 
be  in  progress.  However,  a  great  deal  can  be  inferred  about  these  computations. 

Consider  the  specific  computation  of  algorithm  A  in  which  all  processors  are 
reliable  and  each  sends  value  0.  We  call  this  computation  the  sero  computation  and 
refer  to  the  messages  that  are  sent  as  sero  messages.  These  computations  and  their 
messages  are  completely  defined  and  precomputable. 

Any  one-to-one  encoding  of  meanings  to  messages  can  be  used  without  affecting 
the  behavior  of  an  algorithm.  We  choose  to  code  a  special  meaning  into  the  null 
message.  A  null  message  is  interpreted  to  consist  of  sero  messages  for  each  of  the  r 
simulations  in  progress.  Now  consider  the  particular  computation  of  algorithm  B * 
using  this  coding  in  which  all  processes  are  reliable  and  no  START  signal  is  received 
from  the  external  source.  After  r  rounds,  all  processors  begin  sending  null  messages 
and  continue  to  do  so  throughout  the  remainder  of  the  computation.  At  this  point, 
all  processors  are  quiescent,  according  to  our  definition.  We  therefore  define  the  B 
algorithms  to  be  identical  to  the  B '  algorithms  except  that  the  initial  states  of  the 
processors  are  chosen  to  be  the  states  reached  using  algorithm  B'  after  r  rounds  of 
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the  particular  computation  described  above. 

Theorem  2.  Let  A  be  am  f -resilient  Bounded  Byzantine  Agreement  algorithm. 
Then  algorithms  Bp(A)  and  Bs(A)  a re  /-resilient  solutions  to  the  Permissive 
end  Strict  Bysantine  Firing  Squad  problems,  respectively.  Furthermore,  we  have 
Rounds{Bp[A))  =  Rovnds(B s{A))  =  Ro*nds(A),  and  both  Bita(Bp(A))  and 
Btts(8s(A))  Are  less  than  or  equal  to  Rounds(A)  x  BiU(A). 

Proof":  By  construction,  all  processors  are  quiescent  in  their  initial  states,  so 
the  initial  condition  required  by  the  model  is  satisfied  both  for  Bp  and  Bs.  The 
remaining  conditions  follow  directly  from  Theorem  1.  D 

4.  COMMUNICATION  EFFICIENT  SOLUTIONS  TO  THE  BYZANTINE  FIRING 
SQUAD  PROBLEMS 

The  solutions  presented  in  the  preceding  section  send  up  to  r  times  as  many 
bits  as  the  chosen  Byzantine  Agreement  algorithm.  Since  it  is  known  that  r  >  / 
[6],  this  is  a  significant  increase  in  communication  cost.  Various  coding  tricks  (such 
as  using  short  codes  for  -xpected  messages  and  taking  advantage  of  knowledge 
of  which  processors  are  faulty  when  possible)  could  be  used  to  reduce  this  cost. 
However,  we  will  show  how  to  reduce  the  increase  in  cost  to  a  constant  factor  (and 
an  additional  n3  bits)  without  any  sophisticated  coding.  Our  method  requires  at 
most  one  additional  round  for  the  Permissive  problem  and  two  additional  rounds 
for  the  St  -ict  problem. 

We  wish  to  define  new  algorithms,  Cp(A)  and  Cs(A),  which  are  similar  to 
Bp{A)  and  Bs{A),  respectively,  but  send  many  fewer  bits  than  A .  We  begin  by 
defining  auxiliary  algorithms  Cp(A)  and  C$(A)  which  are  identical  to  Bp[A )  and 
BsM)  except  in  the  way  that  Ready  is  defined  and  the  condition  under  which  firing 
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ocean.  The  C  algorithms  also  use  some  preliminary  messages  to  establish  the 
Ready  condition.  We  will  then  show  how  to  modify  the  C'  algorithms  to  get  the  C 
algorithms. 

In  C'p,  a  processor  becomes  Ready  upon  receiving  any  signal,  rather  than  only 
upon  receiving  a  START  signal  as  in  Bp.  The  firing  condition  is  changed  to  “fire  if 
there  are  at  least  /  + 1  non-sero  elements  in  the  computed  vector*  The  fint  time  a 
reliable  processor  receives  a  signal  and  becomes  Ready,  it  sends  a  special  GO  signal 
to  every  other  processor.  At  most  n3  GO  signals  will  be  sent. 

In  C's,  a  processor  sends  the  GO  signal  to  every  processor  after  receiving  either 
a  START  signal  or  GO  signals  from  /  + 1  other  processors  (which  implies  that  some 
reliable  processor  has  received  a  START  signal).  A  reliable  processor  sends  GO 
signals  only  the  first  time  such  a  condition  occurs  and  sends  only  null  messages 
otherwise  until  it  becomes  Ready.  A  reliable  processor  becomes  Ready  only  after 
receiving  GO  signals  from  at  least  2/  + 1  processors  (perhaps  including  itself).  The 
firing  condition  for  C's  is  the  same  as  for  Cj>:  “fire  if  there  are  at  least  /+ 1  non-sero 
elements  in  the  computed  vector.* 

Theorem  3.  Let  A  be  an  / -resilient  Bounded  Byzantine  Agreement  algorithm. 
Then  C'p[A )  and  C'S{A)  are  /- resilient  and  satisfy  conditions  (Cl)  and  (C2),  and 
(Cl)  and  (C2’),  respectively.  Furthermore,  Rounds(C'p(A))  <  Rounds(A)  +  1  and 
Rounde(Cs{A))  <  Rotmds(A)  +  2. 

Proof:  Since  C'p  and  C's  simulate  A  and  all  processors  use  the  same  firing 
condition,  both  are  /-resilient  and  (Cl)  is  satisfied  for  both. 

Let  t  be  the  round  in  which  the  first  reliable  processor  receives  a  START  mes¬ 
sage  in  C'p.  Then  at  least  f  +  1  reliable  processors  will  be  Ready  by  round  t  -f  1, 
and  all  reliable  processors  will  fire  no  later  than  round  t  +  r  +  1.  Thus,  C'p  satisfies 


(C2)  and  Rottnds{C'p{A))  <  Rounde{A)  +  1. 

Let  t  be  the  round  in  which  the  /  +  1st  processor  receives  a  START  message  in 
C5.  Then  by  round  t  + 1  every  reliable  processor  will  have  received  GO  signals  from 
at  least  /  +  1  processors,  and  by  round  <  +  2  every  reliable  processor  will  be  Ready 
(since  at  least  2/  +  1  processors  will  have  sent  GO  signals).  Thus,  firing  will  occur 
by  round  t  +  r  +  2,  and  C$  satisfies  (C2'a)  and  Rounde(8s(A))  <  Rounds(A)  +  2. 
Finally,  if  ao  reliable  processor  receives  a  START  signal,  then  no  reliable  processor 
will  send  a  GO  signal  and  no  reliable  processor  will  become  Ready ,  hence  firing  will 
not  occur  and  (C2’b)  is  satisfied.  D 

We  now  show  how  to  derive  C  from  C  by  reducing  the  number  of  simulations  of 
A .  We  take  advantage  of  the  fact  that  all  reliable  processors  become  Ready  within 
a  time  period  of  at  most  two  rounds,  which  is  shown  by  the  following  lemma. 

Lemma  4.  In  either  Cp  or  Cs,  if  «  reliable  processor  becomes  Ready  in  round  t 
then  all  reliable  processors  become  Ready  in  either  rounds  t  and  t  —  1  or  in  rounds 
t  and  t  +  1. 

Proof:  Let  t  be  the  first  round  in  which  a  reliable  processor  becomes  Ready.  In 
Cp,  all  reliable  processors  which  are  not  Ready  in  round  t  will  receive  a  GO  signal 
and  become  Ready  in  round  t  +  1.  In  Cs,  since  some  reliable  processor  received 
2/  +  1  GO  signals  by  round  t,  every  reliable  processor  must  have  received  f+  \  GO 
signals  by  round  t.  Thus,  every  reliable  processor  will  send  a  GO  signal  in  round  t 
if  not  before,  and  every  reliable  processor  will  be  Ready  no  later  than  round  f  +  1. 
□ 


Let  us  denote  the  simulation  which  will  terminate  in  round  t  +  r  (and  hence 
conceptually  began  in  round  t)  by  5j.  If  simulation  St  would  cause  firing  if  carried 
to  completion  (i.e.,  the  computed  vector  will  have  more  than  /  non-sera  values), 
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then  we  cay  that  St  will  fire.  In  our  revision  of  C',  a  processor  will  not  send  the 
messages  of  all  r  simulations  that  are  used  in  C.  If  processor  p  does  send  the 
messages  of  simulation  St,  then  we  say  that  p  participates  in  simulation 

Suppose  processor  p  becomes  Ready  in  round  t.  Then,  by  Lemma  4,  p  can 
deduce  that  S*+i  will  fire  since  all  reliable  processors  will  be  Ready  no  later  than 
round  t  +  1.  Also,  by  Lemma  4,  will  not  fire  since  no  reliable  processor  can 
have  been  Ready  in  that  round,  implying  that  at  most  /  ones  will  be  in  the  vector 
computed.  Computations  St-7,  St- 1,  St,  and  S*+ 1  are  the  only  ones  which  p  needs 
to  consider. 

Algorithm  C  is  identical  to  algorithm  C  except  that  if  processor  p  becomes 
Ready  in  round  t  then  p  will  participate  only  in  simulations  St-7,  St-u  Stt  and 
St+t-  Also,  p  will  ignore  the  result  of  St- 7  and  only  act  (fire  or  not)  on  the 
results  of  $-1,  St,  and  $+1.  There  is  no  difficulty  in  coding  the  four  (at  most) 
messages  of  algorithm  A  so  that  each  receiving  processor  can  match  them  up  with 
the  appropriate  simulations. 

Theorem  S.  Let  A  be  an  /-resilient  Bounded  By*  an  tine  Agreement  algorithm. 
Then  algorithm  Cp(A )  and  Cs(A)  are  f- resilient  solution $  to  the  Permissive  and 
Strict  Bysantine  Firing  Squad  problems.  JFbr  Cp,  Rounds{Cp[A))  <  Rounds(A)  +  1 
and  for  Cs,  Roundt(Cs[A ))  <  Ro*nde(A)  +  2.  Both  Bit$[Cp[A))  and  BiU(Cs[A )) 
are  at  most  na  +  4  x  Bits(A). 

Proof:  Suppose  that  round  t  is  the  first  round  in  which  a  reliable  processor 
becomes  Ready.  (If  no  reliable  processor  becomes  Ready ,  then  the  theorem  is  vac¬ 
uously  true.)  For  Cs,  round  t  is  also  the  first  round  of  the  measured  portion  of  the 
computation.  For  Cp,  the  first  round  of  the  measured  portion  of  the  computation 
is  round  t  - 1.  By  Lemma  4,  all  reliable  processors  awaken  in  either  round  t  or  f+ 1. 
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Call  the  former  ea rly  and  the  latter  late. 

Early  processors  will  participate  in  simulations  5t-a>  St- 1,  St,  and  $+ ».  How¬ 
ever,  since  they  will  not  act  on  the  result  of  St_a»  the  messages  which  are  input 
to  these  simulations  are  irrelevant.  Late  processors  will  participate  in  simulations 

i  St,  St+i,  and  St +3.  Since  all  reliable  processors  participate  in  simulations 
St- 1,  St,  and  St+i,  the  resulting  vectors  that  they  compute  must  satisfy  conditions 
(Al)  and  (A2).  This  implies  that  (Cl)  is  satisfied  by  both  Cp  and  Cs  and  that 
both  C  algorithms  are  /-resilient. 

Since  ill  reliable  processors  are  Ready  by  round  f  +  1,  $+i  is  guaranteed  to 
fire.  By  the  definition  of  Ready  for  Cp,  condition  (C2)  is  satisfied  by  Cp,  and  firing 
will  occur  within  r+ 1  rounds  after  a  reliable  processor  receives  a  START  signal  (or 
any  other  rignal),  so  Rovnd^Cp)  <  Rounde{A)  +  1. 

In  Cs,  if  /  +  1  reliable  processors  receive  a  START  signal  in  round  If,  then 
some  reliable  will  become  Ready  by  round  tf  +  1.  By  the  foregoing  discussion, 
some  reliable  processor  will  fire  by  round  If  +  r  4-  2,  so  condition  (C2'a)  holds  and 
Rounde(Cs)  <  Rounds(A)  +  2.  On  the  other  hand,  if  no  reliable  processor  receives  a 
START  signal,  then  no  reliable  processor  will  send  a  GO  signal  and  hence  no  reliable 
processor  will  become  Ready,  so  (C2*b)  holds. 

Each  processor  participates  in  at  most  four  simulations  of  algorithm  A.  There 
is  no  difficulty  in  coding  the  messages  of  these  simulations  to  use  at  most  four  times 
the  number  of  bits  used  by  algorithm  A.  The  GO  messages  can  usually  "piggyback* 
at  no  cost  in  Cs  and  sometimes  do  so  in  Cp  since  any  non-null  message  will  do  to 
communicite  a  GO  signal.  Otherwise  a  single  bit  will  suffice  to  send  .  GO  signal, 
so,  Bitt(Cp(A))  <  n7  +  4  x  BiU{A ),  and  Bits(Cs(A ))  <n*+4x  Bite(A).  D 
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